Improving Adversarial Robustness via Channel-wise Activation Suppressing

TL;DR

This paper introduces a channel-wise activation suppressing strategy to improve the robustness of deep neural networks against adversarial attacks by reducing redundant activations caused by adversarial perturbations.

Contribution

The paper proposes a novel Channel-wise Activation Suppressing (CAS) method that inherently suppresses adversarial activations and enhances existing defense techniques.

Findings

CAS improves adversarial robustness when integrated with existing defenses.

Adversarial examples exhibit higher and more uniformly distributed channel activations.

CAS effectively suppresses redundant activations caused by adversarial perturbations.

Abstract

The study of adversarial examples and their activation has attracted significant attention for secure and robust learning with deep neural networks (DNNs). Different from existing works, in this paper, we highlight two new characteristics of adversarial examples from the channel-wise activation perspective: 1) the activation magnitudes of adversarial examples are higher than that of natural examples; and 2) the channels are activated more uniformly by adversarial examples than natural examples. We find that the state-of-the-art defense adversarial training has addressed the first issue of high activation magnitudes via training on adversarial examples, while the second issue of uniform activation remains. This motivates us to suppress redundant activation from being activated by adversarial perturbations via a Channel-wise Activation Suppressing (CAS) strategy. We show that CAS can train a model that inherently suppresses adversarial activation, and can be easily applied to existing defense methods to further improve their robustness. Our work provides a simple but generic training strategy for robustifying the intermediate layer activation of DNNs.